Pages

A Microsoft tool entering its fourth iteration has seen slow adoption, but it could help greatly reduce the risk of successful attacks, according to a Verizon security expert and an author of the 2013 Verizon Data Breach Investigations Report.

The beta version of the fourth version of the Enhanced Mitigation Experience Toolkit (EMET) was released by Microsoft last week. The tool, which helps shield memory corruption vulnerabilities from exploitation, can make it much more difficult for attackers to gain an initial foothold into corporate systems, said Chris Porter, managing principal with Verizon's RISK Team. Administrators have been shirking the tool because some thought it was too complicated to deploy in some enterprises, Porter told CRN.

"It seems to be an effective control," Porter said. "We recommend taking a targeted approach with it against Internet Explorer and software that might be targeted by different groups."

Microsoft's EMET favors small organizations with less complex environments. But the tool is favored among nearly all security experts and is referred to in the 20 Critical Controls, a document created by a consortium of industry security experts to provide best practices to mitigate threats.

The 2013 Verizon DBIR found that 92 percent of all attacks emanate from outside the corporate network. Malware was used in 40 percent of the 621 breaches analyzed by Verizon. Many attacks required user interaction, typically clicking on a malicious link or file attachment. Attackers are exploiting vulnerabilities, installing spyware or keyloggers to steal account credentials, Verizon found.

In most cases, focusing on finding specific vulnerabilities and blocking specific exploits is a losing battle, Porter said. Patching is becoming easy on desktops, with automated updates for certain components that interfere less with software configurations, he said. If users don't have administrative rights and there's stronger configuration on the desktop, then organizations should wait before pushing out a patch, he added.

"There's a balance between configuration management and patch management," Porter said. "If you have very strong configurations, then you can patch in a targeted fashion and broadly over time."

If deployed properly, the final version of Microsoft's EMET, due out in May, could thwart zero-day vulnerabilities by preventing an attacker from targeting flaws regardless of whether the latest updates have been installed on an endpoint system. It does so by enabling administrators to apply data execution prevention, a defensive technology, to legacy software.